Tcpdump Examples

Practical tcpdump examples to lift your network troubleshooting and security testing game. Commands and tips to not only use tcpdump but master ways to know your network.

Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer or security professional.

First The Basics

Breaking down the Tcpdump Command Line

The following command uses common parameters often seen when wielding the tcpdump scalpel.

:~$ sudo tcpdump -i eth0-nn-s0-vport 80

-i : Select interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter.-nn : A single (n) will not resolve hostnames. A double (nn) will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture.-s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic.-v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often showing more protocol specific information.port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually HTTP.

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option.

:~$ sudo tcpdump -A -s0 port 80

Capture on Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.

:~$ sudo tcpdump -i eth0 udp:~$ sudo tcpdump -i eth0 proto 17

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) and from (source) the IP address.

:~$ sudo tcpdump -i eth0 host 10.10.1.1

Alternatively capture only packets going one way using src or dst.

:~$ sudo tcpdump -i eth0 dst 10.10.1.20

Write a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.

:~$ sudo tcpdump -i eth0 -s0 -w test.pcap

Line Buffered Mode

Without the option to force line (-l) buffered (or packet buffered -C) mode you will not always get the expected response when piping the tcpdump output to another command such as grep. By using this option the output is sent immediately to the piped command giving an immediate response when troubleshooting.

:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Combine Filters

Throughout these examples you can use standard logic to combine different filters.

and or &&or or ||not or !

Practical Examples

In many of these examples there are a number of ways that the result could be achieved. As seen in some of the examples it is possible to focus the capture right down to individual bits in the packet.

The method you will use will depend on your desired output and how much traffic is on the wire. Capturing on a busy gigabit link may force you to use specific low level packet filters.

When troubleshooting you often simply want to get a result. Filtering on the port and selecting ascii output in combination with grep, cut or awk will often get that result. You can always go deeper into the packet if required.

For example when capturing HTTP requests and responses you could filter out all packets except the data by removing SYN /ACK / FIN however if you are using grep the noise will be filtered anyway. Keep it simple.

This can be seen in the following examples, where the aim is to get a result in the simplest (and therefore fastest) manner.

1. Extract HTTP User Agents

Extract HTTP User Agent from HTTP request header.

:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

2. Capture only HTTP GET and POST packets

Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.

10. Capture SNMP Query and Response

Using onesixtyone the fast SNMP protocol scanner we test an SNMP service on our local network and capture the GetRequest and GetResponse. For anyone who has had the (dis)pleasure of troubleshooting SNMP, this is a great way to see exactly what is happening on the wire. You can see the OID clearly in the traffic, very helpful when wrestling with MIBS.

11. Capture FTP Credentials and Commands

Capturing FTP commands and login details is straight forward. After the authentication is established an FTP session can be active or passive this will determine whether the data part of the session is conducted over TCP port 20 or another ephemeral port. With the following command you will USER and PASS in the output (which could be fed to grep) as well as the FTP commands such as LIST, CWD and PASSIVE.

:~$ sudo tcpdump -nn -v port ftp or ftp-data

12. Rotate Capture Files

When capturing large amounts of traffic or over a long period of time it can be helpful to automatically create new files of a fixed size. This is done using the parameters -W, -G and -C.

In this command the file capture-(hour).pcap will be created every (-G) 3600 seconds (1 hour). The files will be overwritten the following day. So you should end up with capture-{1-24}.pcap, if the hour was 15 the new file is (/tmp/capture-15.pcap).

:~$ tcpdump -w /tmp/capture-%H.pcap -G 3600 -C 200

13. Capture IPv6 Traffic

Capture IPv6 traffic using the ip6 filter. In these examples we have specified the TCP and UDP protocols using proto 6 and proto 17.

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

14. Detect Port Scan in Network Traffic

In the following example you can see the traffic coming from a single source to a single destination. The Flags [S] and [R] can be seen and matched against a seemingly random series of destination ports. These ports are seen in the RESET that is sent when the SYN finds a closed port on the destination system. This is standard behaviour for a port scan by a tool such as Nmap.

We have another tutorial on Nmap that details captured port scans (open / closed / filtered) in a number of Wireshark captures.

16. Capture Start and End Packets of every non-local host

This example is straight out of the tcpdump man page. By selecting on the tcp-syn and tcp-fin packets we can show each established TCP conversation with timestamps but without the data. As with many filters this allows the amount of noise to be reduced in order to focus in on the information that you care about.

18. Capture HTTP data packets

19. Capture with tcpdump and view in Wireshark

Parsing and analysis of full application streams such as HTTP is much easier to perform with Wireshark (or tshark) rather than tcpdump. It is often more practical to capture traffic on a remote system using tcpdump with the write file option. Then copy the pcap to the local workstation for analysis with Wireshark.

Other than manually moving the file from the remote system to the local workstation it is possible to feed the capture to Wireshark over the SSH connection in real time. This tip is a favorite, pipe the raw tcpdump output right into wireshark on your local machine. Don't forget the not port 22 so you are not capturing your SSH traffic.

Another tip is to use count -c on the remote tcpdump to allow the capture to finish otherwise hitting ctrl-c will not only kill tcpdump but also Wireshark and your capture.

20. Top Hosts by Packets

List the top talkers for a period of time or number of packets. Using simple command line field extraction to get the IP address, sort and count the occurrances. Capture is limited by the count option -c.

21. Capture all the plaintext passwords

In this command we are focusing on standard plain text protocols and chosing to grep on anything user or password related. By selecting the -B5 option on grep the aim is to get the preceding 5 lines that may provide context around the captured password (hostname, ip address, system).

22. DHCP Example

And our final tcpdump example is for monitoring DHCP request and reply. DHCP requests are seen on port 67 and the reply is on 68. Using the verbose parameter -v we get to see the protocol options and other details.

Wrapping Up

These tcpdump examples, tips and commands are intended to give you a base understanding of the possibilities. Depending on what you are trying to achieve there are many ways that you could go deeper or combine different capture filters to suit your requirements.

Combining tcpdump with Wireshark is a powerful combination, particularly when you wish to dig into full application layer sessions as the decoders can assemble the full stream. We recently did a major update to our Wireshark Tutorial.

Thanks for reading, check out the man page for more detail and if you have any comments or suggestions please drop me a note using the contact form. Happy Packet Analysis!